On Sun, Nov 13, 2011 at 04:59:19PM +0800, Paul Wise wrote:
> These two links are referenced by the Debian security audit pages but
> the domain has been taken by squatters.
I have modified the pages to
a) remove the point to http://shellcode.org/Setuid/, there is currently no
alternative (that I know of)
b) point maintainers and interested users/developers to the public
debian-security mailing list instead of to the old debian-audit mailing list
(which was also public BTW)
> Could someone from the security
> team suggest the correct course of action here?
I'm not a security team member, but an (inactive) member of the debian-audit
team. I think the best course of action is to keep the pages since they
describe processes, tool and information that is relevant for developers and
for prospective auditors.
The pages do not highlight currently, however, that the Debian Audit team is
currently unmanned. I'm adjusting intro/organization also somewhat.
> Does the security team
> generate a list of all setuid/setgid executables in Debian? There does
> not appear to be a replacement for the debian-audit list, should mails
> about that be directed to debian-security?
For the time being I have updated the webpages to point to debian-security to
replace the previous mailing list. I have also submitted a project
registration at Alioth ('debian-audit') so that the project has its own space
for tools and for mailing list.
Once the project is approved I will point to that mailing list, and will try
to have the old content of the mailing list (old posts) restored there too.
> http://shellcode.org/Setuid/
As for this tool, it was developed by Steve Kemp and I'm not sure the code
was made public. It would not be very difficult to produce a similar tool if
developers are still interested.
For the time being, I've removed pointers to that tool from the webpage so
that we do not point to cyber-squatter domains.
Regards
Javier
Attachment:
signature.asc
Description: Digital signature